Merge branch 'ia/ssl/default-ciphers/OTP-11966' into maint

* ia/ssl/default-ciphers/OTP-11966:
  ssl: Workaround that gen_fsm does not call CB:format_status when CB:terminate crashes.
  SSL: always filter the full list of supported ciphers against the supported algorithms
  ssl: Filter default ciphers for supported Crypto algorihms

5 files changed, 42 insertions, 74 deletions

diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 189bbd7edd..be1041ca13 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -346,17 +346,22 @@ negotiated_next_protocol(#sslsocket{pid = Pid}) ->
 %%--------------------------------------------------------------------
 cipher_suites() ->
     cipher_suites(erlang).
-  
+
 cipher_suites(erlang) ->
     Version = tls_record:highest_protocol_version([]),
-    [suite_definition(S) || S <- ssl_cipher:suites(Version)];
-
+    ssl_cipher:filter_suites([suite_definition(S)
+                              || S <- ssl_cipher:suites(Version)]);
 cipher_suites(openssl) ->
     Version = tls_record:highest_protocol_version([]),
-    [ssl_cipher:openssl_suite_name(S) || S <- ssl_cipher:suites(Version)];
+    [ssl_cipher:openssl_suite_name(S)
+     || S <- ssl_cipher:filter_suites(ssl_cipher:suites(Version))];
 cipher_suites(all) ->
     Version = tls_record:highest_protocol_version([]),
-    [suite_definition(S) || S <- ssl_cipher:all_suites(Version)].
+    Supported = ssl_cipher:all_suites(Version)
+	++ ssl_cipher:anonymous_suites(Version)
+	++ ssl_cipher:psk_suites(Version)
+	++ ssl_cipher:srp_suites(),
+    ssl_cipher:filter_suites([suite_definition(S) || S <- Supported]).
 
 %%--------------------------------------------------------------------
 -spec getopts(#sslsocket{}, [gen_tcp:option_name()]) ->
@@ -929,8 +934,11 @@ handle_cipher_option(Value, Version)  when is_list(Value) ->
 	error:_->
 	    throw({error, {options, {ciphers, Value}}})
     end.
-binary_cipher_suites(Version, []) -> % Defaults to all supported suites
-    ssl_cipher:suites(Version);
+
+binary_cipher_suites(Version, []) -> 
+    %% Defaults to all supported suites that does
+    %% not require explicit configuration
+    ssl_cipher:filter_suites(ssl_cipher:suites(Version));
 binary_cipher_suites(Version, [{_,_,_,_}| _] = Ciphers0) -> %% Backwards compatibility
     Ciphers = [{KeyExchange, Cipher, Hash} || {KeyExchange, Cipher, Hash, _} <- Ciphers0],
     binary_cipher_suites(Version, Ciphers);
@@ -939,14 +947,15 @@ binary_cipher_suites(Version, [{_,_,_}| _] = Ciphers0) ->
     binary_cipher_suites(Version, Ciphers);
 
 binary_cipher_suites(Version, [Cipher0 | _] = Ciphers0) when is_binary(Cipher0) ->
-    Supported0 = ssl_cipher:suites(Version)
+    All = ssl_cipher:suites(Version)
 	++ ssl_cipher:anonymous_suites()
 	++ ssl_cipher:psk_suites(Version)
 	++ ssl_cipher:srp_suites(),
-    Supported = ssl_cipher:filter_suites(Supported0),
-    case [Cipher || Cipher <- Ciphers0, lists:member(Cipher, Supported)] of
+    case [Cipher || Cipher <- Ciphers0, lists:member(Cipher, All)] of
 	[] ->
-	    Supported;  %% Defaults to all supported suits
+	    %% Defaults to all supported suites that does
+	    %% not require explicit configuration
+	    ssl_cipher:filter_suites(ssl_cipher:suites(Version));
 	Ciphers ->
 	    Ciphers
     end;
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index a3ec419c2a..72467ea2a0 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -1019,7 +1019,8 @@ openssl_suite_name(Cipher) ->
 %%--------------------------------------------------------------------
 -spec filter(undefined | binary(), [cipher_suite()]) -> [cipher_suite()].
 %%
-%% Description: .
+%% Description: Select the cipher suites that can be used together with the 
+%% supplied certificate. (Server side functionality)  
 %%-------------------------------------------------------------------
 filter(undefined, Ciphers) -> 
     Ciphers;
@@ -1053,7 +1054,7 @@ filter(DerCert, Ciphers) ->
 %%--------------------------------------------------------------------
 -spec filter_suites([cipher_suite()]) -> [cipher_suite()].
 %%
-%% Description: filter suites for algorithms
+%% Description: Filter suites for algorithms supported by crypto.
 %%-------------------------------------------------------------------
 filter_suites(Suites = [{_,_,_}|_]) ->
     Algos = crypto:supports(),
diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index 3b89cf7b71..2ab085321a 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -323,7 +323,7 @@ handle_info(Msg, StateName, State) ->
 %% Reason. The return value is ignored.
 %%--------------------------------------------------------------------
 terminate(Reason, StateName, State) ->
-    ssl_connection:terminate(Reason, StateName, State).
+    catch ssl_connection:terminate(Reason, StateName, State).
 
 %%--------------------------------------------------------------------
 %% code_change(OldVsn, StateName, State, Extra) -> {ok, StateName, NewState}
diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl
index 067417d163..7a5f9c1b38 100644
--- a/lib/ssl/src/tls_v1.erl
+++ b/lib/ssl/src/tls_v1.erl
@@ -183,23 +183,7 @@ mac_hash(Method, Mac_write_secret, Seq_num, Type, {Major, Minor},
 
 -spec suites(1|2|3) -> [ssl_cipher:cipher_suite()].
 
-suites(Minor) when Minor == 1; Minor == 2->
-    case sufficent_ec_support() of
-	true ->
-	    all_suites(Minor);
-	false ->
-	    no_ec_suites(Minor)
-    end;
-
-suites(Minor) when Minor == 3 ->
-    case sufficent_ec_support() of
-	true ->
-	    all_suites(3) ++ all_suites(2);
-	false ->
-	    no_ec_suites(3) ++ no_ec_suites(2)
-    end.
-
-all_suites(Minor) when Minor == 1; Minor == 2->
+suites(Minor) when Minor == 1; Minor == 2 ->
     [
       ?TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
       ?TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
@@ -235,7 +219,7 @@ all_suites(Minor) when Minor == 1; Minor == 2->
 
       ?TLS_RSA_WITH_DES_CBC_SHA
     ];
-all_suites(3) ->
+suites(3) ->
     [
      ?TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
      ?TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
@@ -254,33 +238,7 @@ all_suites(3) ->
      ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
      ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
      ?TLS_RSA_WITH_AES_128_CBC_SHA256
-    ].
-
-no_ec_suites(Minor) when Minor == 1; Minor == 2->
-    [
-      ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-      ?TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
-      ?TLS_RSA_WITH_AES_256_CBC_SHA,
-      ?TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-      ?TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
-      ?TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-      ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-      ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
-      ?TLS_RSA_WITH_AES_128_CBC_SHA,
-      ?TLS_RSA_WITH_RC4_128_SHA,
-      ?TLS_RSA_WITH_RC4_128_MD5,
-      ?TLS_DHE_RSA_WITH_DES_CBC_SHA,
-      ?TLS_RSA_WITH_DES_CBC_SHA
-    ];
-no_ec_suites(3) ->
-    [
-     ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
-     ?TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
-     ?TLS_RSA_WITH_AES_256_CBC_SHA256,
-     ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
-     ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
-     ?TLS_RSA_WITH_AES_128_CBC_SHA256
-    ].
+    ] ++ suites(2).
 
 %%--------------------------------------------------------------------
 %%% Internal functions
@@ -442,7 +400,3 @@ enum_to_oid(27) -> ?brainpoolP384r1;
 enum_to_oid(28) -> ?brainpoolP512r1;
 enum_to_oid(_) ->
     undefined.
-
-sufficent_ec_support() ->
-    CryptoSupport = crypto:supports(),
-    proplists:get_bool(ecdh, proplists:get_value(public_keys, CryptoSupport)).
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 804fb1c9c0..0875a460b2 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -883,14 +883,16 @@ psk_suites() ->
     ssl_cipher:filter_suites(Suites).
 
 psk_anon_suites() ->
-    [{psk, rc4_128, sha},
-     {psk, '3des_ede_cbc', sha},
-     {psk, aes_128_cbc, sha},
-     {psk, aes_256_cbc, sha},
-     {dhe_psk, rc4_128, sha},
-     {dhe_psk, '3des_ede_cbc', sha},
-     {dhe_psk, aes_128_cbc, sha},
-     {dhe_psk, aes_256_cbc, sha}].
+    Suites =
+	[{psk, rc4_128, sha},
+	 {psk, '3des_ede_cbc', sha},
+	 {psk, aes_128_cbc, sha},
+	 {psk, aes_256_cbc, sha},
+	 {dhe_psk, rc4_128, sha},
+	 {dhe_psk, '3des_ede_cbc', sha},
+	 {dhe_psk, aes_128_cbc, sha},
+	 {dhe_psk, aes_256_cbc, sha}],
+    ssl_cipher:filter_suites(Suites).
 
 srp_suites() ->
     Suites =
@@ -903,9 +905,11 @@ srp_suites() ->
     ssl_cipher:filter_suites(Suites).
 
 srp_anon_suites() ->
-    [{srp_anon, '3des_ede_cbc', sha},
-     {srp_anon, aes_128_cbc, sha},
-     {srp_anon, aes_256_cbc, sha}].
+    Suites =
+	[{srp_anon, '3des_ede_cbc', sha},
+	 {srp_anon, aes_128_cbc, sha},
+	 {srp_anon, aes_256_cbc, sha}],
+    ssl_cipher:filter_suites(Suites).
 
 srp_dss_suites() ->
     Suites =